Financial institutions are able to expect deeper examinations this year as this year the FDIC issued FIL-105-207 that has updated an IT Examining Officer's Questionnaire. The FDIC will ensure that insured institutions have security procedures which ensure the security of customer data as well as safeguarding against security risks and unauthorized access to customer data. In order to ensure these concerns were addressed, there were five sections in the questionnaire.
These include Risk Assessment, Operations Security & Risk Management Audit/Independent Review Program Disaster Recovery/Business Continuity Management as well as Vendor Management/Service provider Oversight. The first and fourth sections specifically Risk Management and Disaster Recovery are similar to the questionnaire from 2005, but with small changes. The other sections are subject to several significant changes and one of the most significant is the fact that the 2007 questionnaire has added a brand new section that concentrates on concerns regarding Vendor Management.
A particular issue concerns the FIL as a majority of institutions don't have regular security awareness programs implemented.
Training Awareness Using Non-Conventional Methods
With so many sophisticated threats that go beyond traditional pharming, hacking, and vishing attacks. Attacks are now focused on clients or end users attack.
They are exploiting and affect users of mailers, Internet browsers as well as third application providers like watchguard online training Adobe Reader. Because of the more sophisticated attacks, it's more crucial than ever to inform employees and users about the risks involved This can be done by ensuring that IT managers have training sessions that are compliant in the first place. We at Covetrix found was that the majority of security awareness programs do not meet the requirements.
They're usually conducted annually or when an employee is first hired. Although there is a great deal of training, the degree of understanding of these subjects can be lost in one or two weeks, mostly due to an absence of interest or due to the style of the presentation. After a few weeks employees are able to have the impression of crying wolf in relation to phishing/pharming / vishing attacks. For future reference we'll refer to as social engineering. Training programs need to be modified to ensure that the crucial degree of importance remains high.
We believe that by providing non-traditional educational, real-world examples, financial institutions is not just able to train employees and increase their comprehension, but can also know how scams work and be able to recognize the scam, and quickly uncovering it before it has a negative impact on the privacy of the client.